Coinbase impersonators steal over $2m in BTC and ETH from retired artist
Coinbase impersonators stole over $2 million worth of crypto from retired artist Ed Suman using data possibly obtained in the exchange’s recent customer support breach.
According to Bloomberg, Suman, 67, was targeted in early March after receiving a text message that appeared to be from Coinbase, warning of suspicious activity on his account.
When he responded, a man posing as a Coinbase security staffer called him and claimed his funds were at risk, even though they were reportedly stored offline in a hardware wallet.
The caller, who identified himself as Brett Miller, seemed convincing. He knew Suman used a Trezor Model One and claimed it could still be vulnerable.
Social engineering scams frequently rely on creating doubt around a user’s security, prompting them to take actions they otherwise wouldn’t.
Suman was guided through what was described as a “security check,” which involved entering his seed phrase into a fake website designed to look like Coinbase’s interface.
Nine days later, another impersonator claimed the earlier fix hadn’t worked and asked Suman to repeat the process, following which all of Suman’s crypto was gone, a stash that included 17.5 Bitcoin and 225 Ether, now valued at over $2 million.
Suman, who spent nearly two decades working on large-scale art pieces before turning to crypto investing in 2017, had stored his assets in cold storage specifically to avoid exchange-related risks.
The scammers’ ability to reference details like Suman’s wallet type and holdings raised red flags about how they obtained such specific data. It now appears this attack may have been one of many that followed a broader breach at Coinbase, which the company confirmed on May 15.
The breach wasn’t caused by a technical exploit but rather by social engineering. Criminals reportedly bribed third-party support contractors in India to leak sensitive customer information, including names, account balances, and transaction histories. In some cases, even partial Social Security numbers and Know Your Customer documents may have been accessed.
Coinbase said the intrusion was detected through internal monitoring, but signs suggest it may have begun as early as January, months before it was disclosed.
Adding to the fallout, the attackers reportedly tried to extort Coinbase for $20 million in exchange for not leaking the stolen data, a demand the company refused.
Per Coinbase, less than 1% of its monthly transacting users were affected, but that still represents tens of thousands of accounts. One high-profile victim was Sequoia Capital’s managing partner, Roelof Botha, whose personal details were also reportedly compromised.
The exchange is now facing an estimated $180–$400 million in costs tied to remediation and reimbursements.
While Coinbase has pledged to compensate victims of scams stemming from the breach, Suman told Bloomberg he has yet to receive confirmation that he’ll be reimbursed.
